Version 48 (modified by jazz, 15 years ago) (diff) |
---|
2009-04-19
- 由於把系統從 Etch 升級到 Lenny, Python 環境因而從 2.4 升級到 2.5, Trac 從 0.10 升級到 0.11, 不管是 trac 舊的設定檔以及 plugin 都不管用了。只好從頭把 Trac Plugin 重裝一次。
- 設定檔的部分:先用 trac-admin testbed initenv 產生一個全新的範本目錄,然後用 vimdiff 比對有哪些新參數要加進去。
- Plugin 部分:
- 首先要注意的是 Trac 0.11 已經把 TracAccountManager 跟 TracWebAdmin 納入,因此不可以再裝,否則會有一堆錯誤。
- Graphviz Plugin - 用 graphviz 語法畫圖的擴充套件
$ w3m "http://trac-hacks.org/changeset/latest/graphvizplugin/0.11-0.7.4?old_path=/&filename=graphvizplugin/0.11-0.7.4&format=zip" $ unzip unzip graphvizplugin_0.11-0.7.4-r5537.zip $ cd graphvizplugin/0.11-0.7.4 graphvizplugin/0.11-0.7.4$ sudo python setup.py bdist_egg graphvizplugin/0.11-0.7.4$ sudo easy_install dist/graphviz-0.7.4-py2.5.egg
- WikiInclude - 讓用 [[WikiInclude(WikiStart)]] 語法來包含其他 Wiki 頁面中的內容
$ wget "http://trac-hacks.org/attachment/wiki/WikiIncludePlugin/0.11.versions.tbz2?format=raw" -O wikiincludeplugin-0.11.tar.gz $ tar jxvf wikiincludeplugin-0.11.tar.gz $ cd 0.11 0.11$ cat > setup.py << EOF from setuptools import setup PACKAGE = 'WikiInclude' VERSION = '0.2' DESCRIPTION = 'Page include plugin for Trac Wiki' setup(name=PACKAGE, version=VERSION, packages=['wikiinclude'], entry_points={'trac.plugins': ['wikiinclude.wikiinclude=wikiinclude.wikiinclude']}) EOF 0.11$ sudo python setup.py bdist_egg 0.11$ sudo easy_install dist/WikiInclude-0.2-py2.5.egg
- TracRedirect - 用 [[redirect(網址)]] 語法來作頁面自動轉址
$ svn co http://svn.ipd.uka.de/repos/javaparty/JP/trac/plugins/redirect-0.11/ $ cd redirect-0.11/ redirect-0.11$ sudo python setup.py bdist_egg redirect-0.11$ sudo easy_install dist/TracRedirect-0.11.3.dev_r3272-py2.5.egg
- Svnauthz File Administration Plugin - 用來管理誰有權限讀取 SVN 目錄的擴充套件
$ svn co http://trac-hacks.org/svn/svnauthzadminplugin/0.11/ svnauthzadminplugin-0.11 $ cd svnauthzadminplugin-0.11 svnauthzadminplugin-0.11$ sudo python setup.py bdist_egg svnauthzadminplugin-0.11$ sudo easy_install dist/SvnAuthzAdminPlugin-0.1.2._Moved.to.Trac.0.11_-py2.5.egg
- 過去習慣會修改的字型大小
-
/usr/share/pyshared/trac/htdocs/css/trac.css
old new 1 1 body { background: #fff; color: #000; margin: 10px; padding: 0; } 2 2 body, th, td { 3 font: normal 1 2px Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif;3 font: normal 16px Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif; 4 4 } 5 5 h1, h2, h3, h4 { 6 6 font-family: Arial,Verdana,'Bitstream Vera Sans',Helvetica,sans-serif;
-
- 以前的 template 也失效了,要改用 site.html 重新定義 - 參考 Site Appearance
2009-04-23
- 把 /usr/share/pyshared/trac/wiki/default-pages 搬到 /usr/share/pyshared/trac/wiki/default-pages.dpkg,只留下 RecentChanges、TitleIndex、WikiStart 三個預設頁面。
- 安裝 AccountManager 擴充套件
$ svn co http://trac-hacks.org/svn/accountmanagerplugin/0.11 TracAccountManager-0.11 $ cd TracAccountManager-0.11/ TracAccountManager-0.11$ sudo python setup.py bdist_egg TracAccountManager-0.11$ sudo easy_install dist/TracAccountManager-0.2.1dev_r5273-py2.5.egg
2009-05-05
- 參考 2008-03-28 的紀錄,進行 Cloud 跟 Grid 兩個的 Ticket 攻擊清除。
~$ sudo sqlite3 /forge/trac_pool/cloud/db/trac.db sqlite> delete from ticket where id >= 1; sqlite> delete from ticket_change where time >= 1241185964; sqlite> .quit ~$ sudo sqlite3 /forge/trac_pool/grid/db/trac.db sqlite> delete from ticket where id=10; sqlite> delete from ticket where id=11; sqlite> delete from ticket where id=12; sqlite> delete from ticket where id=27; sqlite> delete from ticket_change where time=1240251436; sqlite> delete from ticket_change where time=1240007219; sqlite> delete from ticket_change where time=1240031903; sqlite> .quit
- 由於 0.11 版會把 Timeline 的日期用中文表示,因此如果要自訂 Timeline 顯示的話,會出現錯誤。可能程式邏輯還是衍用 2009-05-05 的格式,因此就在範本加入格式的字串,讓 Form 送出的日期字串可以符合程式邏輯。
"2009年05月05日" is an invalid date, or the date format is not known. Try "YYYY年MM月DD日" instead.
-
timeline/templates/timeline.html
old new 17 17 18 18 <form id="prefs" method="get" action=""> 19 19 <div> 20 <label>View changes from <input type="text" size="10" name="from" value="${format_date(fromdate )}" /></label> <br />20 <label>View changes from <input type="text" size="10" name="from" value="${format_date(fromdate,'%Y-%m-%d')}" /></label> <br /> 21 21 and <label><input type="text" size="3" name="daysback" value="$daysback" /> days back</label>. 22 22 </div> 23 23 <fieldset>
-
2009-06-09
- 安裝 piwik 來統計檔案下載次數
# apt-get install php5-mysql php5-gd libsparkline-php mysql-server phpmyadmin # apache2ctl restart # cd /var/www/ /var/www# wget http://piwik.org/latest.zip /var/www# unzip latest.zip /var/www# chown -R www-data:www-data piwik/
- 完成設定後,系統會告知如何把像 Google Analytics 的 javascript 加到 HTML 裡
<!-- Piwik --> <script type="text/javascript"> var pkBaseURL = (("https:" == document.location.protocol) ? "https://classcloud.org/piwik/" : "http://classcloud.org/piwik/"); document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E")); </script><script type="text/javascript"> try { var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1); piwikTracker.trackPageView(); piwikTracker.enableLinkTracking(); } catch( err ) {} </script> <!-- End Piwik Tag -->
- 安裝 awstats 統計 deb 下載次數
- 把 /usr/share/doc/awstats/examples/apache.conf 的內容加入 /etc/apache2/sites-enabled/classcloud.conf
<VirtualHost X.X.X.X:80> ServerName www.classcloud.org ErrorLog /var/log/classcloud-error_log CustomLog /var/log/classcloud-access_log common DocumentRoot "/var/www/hadoop" <Directory "/var/www/hadoop"> Order deny,allow Allow from all </Directory> <Directory /var/lib/awstats> Options None AllowOverride None Order allow,deny Allow from all </Directory> <Directory /usr/share/awstats/icon> Options None AllowOverride None Order allow,deny Allow from all </Directory> Alias /icon/ /usr/share/awstats/icon/ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> </VirtualHost>
$ cat > /etc/awstats/awstats.classcloud.org.conf << EOF LogFile="/var/log/classcloud-access_log" LogFormat=4 SiteDomain="classcloud.org" AllowFullYearView=3 EOF
- 把 /usr/share/doc/awstats/examples/apache.conf 的內容加入 /etc/apache2/sites-enabled/classcloud.conf
- 執行 /usr/lib/cgi-bin/awstats.pl --config=classcloud.org
- 觀察 http://classcloud.org/cgi-bin/awstats.pl 有沒有內容
- 目前 hadoop 套件的下載量為 94 而已
2009-07-01
- [備忘] 如果遇到 trac 啟動時出現 Database newer than Trac version 錯誤訊息,解決方法可參考以下步驟 - ticket #6300
- Reference: http://use.perl.org/~Beatnik/journal/35866
jazz@drbl-xen-srv:~$ sudo apt-get install sqlite3 jazz@drbl-xen-srv:~$ sudo sqlite3 /forge/trac_pool/grid/db/trac.db SQLite version 3.3.8 Enter ".help" for instructions sqlite> select * from system; database_version|20 repository_dir|svn:164b2d09-da6f-4c29-9524-243417f19678:/forge/trac_pool/maicl/svnroot youngest_rev|12 sqlite> update system set value = 19 where name = "database_version"; sqlite> .quit
- Reference: http://use.perl.org/~Beatnik/journal/35866
- 例行性安全升級 - Debian GNU/Linux "lenny" 第二次穩定版本更新 5.0.2
jazz@trac-pool:~$ sudo apt-get upgrade 正在讀取套件清單... 完成 正在重建相依關係 正在讀取狀態資料... 完成 下列套件將會被升級: apache2 apache2-mpm-prefork apache2-utils apache2.2-common base-files gnupg gpgv libaprutil1 libglib2.0-0 libpango1.0-0 libpango1.0-common libxcb-render0 libxcb-xlib0 libxcb-xlib0-dev libxcb1 libxcb1-dev linux-image-2.6.26-2-686 phpmyadmin screen tzdata x11-common xutils 升級 22 個,新安裝 0 個,移除 0 個,有 0 個未被升級。
2009-09-06
- 例行性安全升級
trac-pool:~# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: base-files devscripts dhcp3-client dhcp3-common libcurl3 libmysqlclient15off libperl5.10 libssl0.9.8 libvolume-id0 linux-image-2.6.26-2-686 linux-libc-dev mysql-client-5.0 mysql-common mysql-server mysql-server-5.0 openssl perl perl-base perl-modules python-support tzdata udev wordpress x11-common xutils 25 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 74.5MB of archives. After this operation, 1382kB of additional disk space will be used. Do you want to continue [Y/n]?
2009-11-30
- 例行性安全升級
trac-pool:~# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: man-db libgnutls26 apache2-utils apache2.2-common apache2-mpm-prefork apache2 php5-common php5-cli libapache2-mod-php5 php5-mysql php5-mcrypt libgd2-xpm php5-gd libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev php-pear 18 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2009-12-04
- 例行性安全升級
trac-pool:~# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: exim4-config man-db liblockfile1 3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2010-02-08
- 例行性安全升級
jazz@trac-pool:~$ sudo apt-get upgrade 正在讀取套件清單... 完成 正在重建相依關係 正在讀取狀態資料... 完成 下列套件將會被升級: acpid base-files dhcp3-client dhcp3-common dpkg dpkg-dev gzip libc6 libc6-dev libc6-i686 libdbd-mysql-perl libexpat1 libglib2.0-0 libkadm55 libkrb53 libldap-2.4-2 libldap2-dev libltdl3 libltdl3-dev libmysqlclient15off libpq5 libssl0.9.8 libthai-data libthai0 linux-image-2.6.26-2-686 linux-libc-dev locales login mysql-client-5.0 mysql-common mysql-server mysql-server-5.0 ntpdate openssl passwd python-docutils python-roman python2.4 python2.4-dev python2.4-minimal python2.5 python2.5-dev python2.5-minimal tzdata usbutils 升級 45 個,新安裝 0 個,移除 0 個,有 0 個未被升級。 需要下載 98.5MB 的套件檔。 此操作完成之後,會多佔用 532kB 的磁碟空間。 是否繼續進行 [Y/n]?
- 安裝 minin 監控系統 - http://trac.nchc.org.tw/munin
jazz@trac-pool:~$ sudo apt-get install munin munin-node
2010-02-11
- [除錯] trac 主機經常出現 "clocksource tsc unstable" 的錯誤訊息然後就進不去了....
- [參考] 服務停止與Clocksource tsc unstable...
- [參考] Clocksource tsc unstable
- [參考] Is "Clocksource tsc unstable" kernel msg a problem or not ?
- [檢測] 查看 /sys/devices/system/clocksource/clocksource0/available_clocksource 有沒有 acpi_pm
jazz@trac-pool:~$ cat /sys/devices/system/clocksource/clocksource0/available_clocksource tsc acpi_pm jiffies
- [修改] 改掉 /sys/devices/system/clocksource/clocksource0/current_clocksource 變成 acpi_pm
trac-pool:~# echo acpi_pm > /sys/devices/system/clocksource/clocksource0/current_clocksource
2010-02-20
- 因應 PHP5 安全更新,進行系統安全升級
jazz@trac-pool:~$ sudo apt-get upgrade 正在讀取套件清單... 完成 正在重建相依關係 正在讀取狀態資料... 完成 下列套件將會被升級: libapache2-mod-php5 libmysqlclient15off mysql-client-5.0 mysql-common mysql-server mysql-server-5.0 php-pear php5-cli php5-common php5-gd php5-mcrypt php5-mysql 升級 12 個,新安裝 0 個,移除 0 個,有 0 個未被升級。 需要下載 0B/42.2MB 的套件檔。 此操作完成之後,會空出 504kB 的磁碟空間。 是否繼續進行 [Y/n]?
2010-02-25
- [除錯] trac 主機又再度出現 "clocksource tsc unstable" 的錯誤訊息然後就進不去了....不確定上次有沒有作 GRUB menu.lst 修改與否....還是因為 apt-get upgrade 更新到 kernel 被洗掉了....只好再手動加進去 :(
-
/boot/grub/menu.lst
old new 121 121 122 122 title Debian GNU/Linux, kernel 2.6.26-2-686 123 123 root (hd0,0) 124 kernel /boot/vmlinuz-2.6.26-2-686 root=/dev/sda1 ro 124 kernel /boot/vmlinuz-2.6.26-2-686 root=/dev/sda1 ro clocksource=acpi_pm 125 125 initrd /boot/initrd.img-2.6.26-2-686 126 126 127 127 title Debian GNU/Linux, kernel 2.6.26-2-686 (single-user mode)
-
- 另外發現中午十二點附近都有大量 apache load 真不清楚是哪來的攻擊還是搜尋引擎....記憶體使用量最高 commited 到達 3.88 GB 可能要查一下原因了。
2010-02-26
- 遇到沒品的 426 .... 沒事同時發起 176 個 web 連線到 trac 網站....
jazz@drbl:~$ cat 10-02-26_trac_down_reason.log | grep ":" | awk '{ print $5 }' | sed 's#\:.*##' | sort -n | uniq -c | sort -n ... 略 .... 3 114.25.224.118 176 124.254.15.50
2010-03-08
- 例行性安全升級:sudo 安全漏洞補強
jazz@trac-pool:~$ sudo apt-get upgrade 正在讀取套件清單... 完成 正在重建相依關係 正在讀取狀態資料... 完成 下列套件將會被升級: libcups2 libcupsimage2 libcupsys2 sudo 升級 4 個,新安裝 0 個,移除 0 個,有 0 個未被升級。 需要下載 493kB 的套件檔。 此操作完成之後,會空出 8192B 的磁碟空間。 是否繼續進行 [Y/n]?
2010-03-23
- 又來一個沒品的 426 .... 沒事同時發起多個 web 連線到 trac 網站....直接用上次那招,浙江無錫使用這個 IP 的朋友....我也沒辦法了....你們有害群之馬
iptables -A INPUT -s 222.191.249.106 -j DROP
2010-03-24
- 例行性安全升級:PHP 與 Linux Kernel
jazz@trac-pool:~$ sudo apt-get upgrade 正在讀取套件清單... 完成 正在重建相依關係 正在讀取狀態資料... 完成 下列套件將會被升級: dpkg dpkg-dev libapache2-mod-php5 libpango1.0-0 libpango1.0-common linux-image-2.6.26-2-686 linux-libc-dev php-pear php5-cli php5-common php5-gd php5-mcrypt php5-mysql 升級 13 個,新安裝 0 個,移除 0 個,有 0 個未被升級。 需要下載 30.2MB 的套件檔。 此操作完成之後,會多佔用 73.7kB 的磁碟空間。 是否繼續進行 [Y/n]?
2010-03-26
- 又來一個 426,怎麼這麼多網軍啊....
129 tcp6 536 0 140.110.240.196:80 121.235.30.92:9508 CLOSE_WAIT -
-
iptables -A INPUT -s 121.235.30.92 -j DROP
- 原來 iptables 可以計算過濾了幾個呀!! 加個 "-c" 參數就可以統計
jazz@trac-pool:~$ sudo iptables-save -c ... 略 ... [726:33684] -A INPUT -s 121.235.30.92/32 -j DROP [0:0] -A INPUT -s 222.191.249.106/32 -j DROP [0:0] -A INPUT -s 124.254.15.50/32 -j DROP ... 略 ... # Completed on Fri Mar 26 22:27:36 2010
- 因為又遇到了兩次攻擊行為,所以想試試看有沒有辦法透過 iptable 的方式把同時連線太多次的加以刪除。參考 Using iptables to throttle incoming connections 的文章,修改成統計 80 port 的連線,再用另一台跑 nc 模擬攻擊。發現每 10 個連線會暫停 10 秒鐘。
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP
- [參考] 調整網路 TCP TIME_WAIT,快速釋放 connection
在繁忙的server中我們常常會看到許多狀態已是「TIME_WAIT」的連線 透過調整系統參數可使連線更快速的釋放 修改系統預設tcp fin timeout echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout 調整為30sec 調整tcp參數 net.ipv4.tcp_tw_reuse = 0 net.ipv4.tcp_tw_reuse = 1 表示開啟重用。 允許將TIME-WAIT sockets重新用於新的TCP連接,默認為0,表示關閉 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_tw_recycle = 1 表示開啟TCP連接中TIME-WAIT sockets的快速回收,預設為0,表示關閉
- 彙整以上的規則,寫一隻 script 來當做開機時啟用安全防護的機制。
echo "clear rules" iptables -F iptables -X iptables -Z iptables -t nat -F echo "drop ping and traceroute" iptables -A INPUT -i eth0 -p icmp -s any/0 --icmp-type 8 -j DROP iptables -A OUTPUT -o eth0 -p icmp --icmp-type 3 -d any/0 -j DROP iptables -A OUTPUT -o eth0 -p icmp --icmp-type 11 -d any/0 -j DROP echo "drop abuse IP connections" iptables -A INPUT -s 124.254.15.50 -j DROP iptables -A INPUT -s 222.191.249.106 -j DROP iptables -A INPUT -s 121.235.30.92 -j DROP echo "drop connect more than 10 times in 10 seconds ..." iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP echo "decrease TCP socket TIME_WAIT time" echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout sysctl net.ipv4.tcp_tw_reuse=1 sysctl net.ipv4.tcp_tw_recycle=1
2010-03-28
- 繼續封鎖
69 tcp6 0 1 140.110.240.196:80 117.85.101.39:26243 LAST_ACK 70 tcp6 0 10081 140.110.240.196:80 117.85.101.39:26347 FIN_WAIT1 71 tcp6 1 90721 140.110.240.196:80 117.85.101.39:26337 LAST_ACK
- 3/26 縱使加了延遲反應還是沒有效果,反而增加了系統的負載,唉~想保持開放可以讓多一點初學者受益,又得防禦這些攻擊,真是令人為難啊~
2010-04-07
Attachments (22)
- 2009-06_hadoop.jpg (188.5 KB) - added by jazz 15 years ago.
- 10-02-25-apache_processes-day.png (18.8 KB) - added by jazz 15 years ago.
- 10-02-25-apache_processes-week.png (20.0 KB) - added by jazz 15 years ago.
- 10-02-25-memory-day.png (37.0 KB) - added by jazz 15 years ago.
- 10-02-25-memory-week.png (45.4 KB) - added by jazz 15 years ago.
- 10-02-26-apache_processes-day.png (16.8 KB) - added by jazz 15 years ago.
- 10-02-26-apache_processes-week.png (20.2 KB) - added by jazz 15 years ago.
- 10-03-23_apache_processes-week.png (21.3 KB) - added by jazz 15 years ago.
- 10-03-23_abuse_ip.jpg (26.4 KB) - added by jazz 15 years ago.
- 10-03-26_abuse_ip.jpg (31.3 KB) - added by jazz 15 years ago.
- 10-03-26_apache_processes-day.png (18.8 KB) - added by jazz 15 years ago.
- 10-03-28_abuse_ip.jpg (12.3 KB) - added by jazz 15 years ago.
- 10-03-28_cpu-week.png (24.8 KB) - added by jazz 15 years ago.
- 10-04-07_apache_processes-week.png (21.0 KB) - added by jazz 15 years ago.
- 10-04-07_cpu-week.png (25.4 KB) - added by jazz 15 years ago.
- 10-04-07_eth0-week.png (19.4 KB) - added by jazz 15 years ago.
- 10-04-07_memory-week.png (36.4 KB) - added by jazz 15 years ago.
- 10-04-07_swap-week.png (19.1 KB) - added by jazz 15 years ago.
- 10-06-28_whois_202.113.34.186.png (19.3 KB) - added by jazz 14 years ago.
- 10-10-10_VM_IOWait_Status.png (25.1 KB) - added by jazz 14 years ago.
- 10-11-23_trac_apache_daily.png (20.1 KB) - added by jazz 14 years ago.
- trac.0.11.7-4.accesskey.patch (5.8 KB) - added by jazz 14 years ago.
Download all attachments as: .zip